Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2771
Views
6
Helpful
4
Replies

Please improve OpenSSL compatibility for SSL

Dirk Dittert
Level 1
Level 1

‎05-03-2014 02:39 PM

It would be nice if CSRs generated through the web interface were compliant with OpenSSL.

 

The problem is that CSRs can not be parsed by OpenSSL the way that they are shown in the HTML page:

openssl req -in csr.txt -noout -text says:

unable to load X509 request

139838211532448:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:805:

 

The reason for this is simple: OpenSSL expects the CSR to be wrapped after 64 characters but the SG300 generates them in a single line. Manually rewrapping the CSR allowed me to process the CSR in OpenSSL – but that's a fact that took about 8h to figure out...

 

Also: I was not able to import a public/private key combination that was generated through OpenSSL. One of the reasons is that the SG300 expects the banner for the public key to be BEGIN RSA PUBLIC KEY whereas OpenSSL seems to use BEGIN PUBLIC KEY. Even after fixing the header, all I managed to get was Failed to load public key. Finally, I gave up trying and used the CSR way to install the certificate. It would be great if the SSL handling were a little smoother. Thanks!

 

Firmware version is 1.3.7.18

Labels:
0 Helpful
4 Replies 4

chrebert
Level 4
Level 4

‎05-05-2014 03:41 AM

Hello Dirk,

Your best bet for something like this would be to give us a call and ask to open a support case.  Give the technician a link to this post and ask for an escalation for a feature request/bug.  I can't guarantee what will be done about it, it may be working as intended, but I can get it to the right people.

Cisco Small Business Support Center Contact Numbers

Thank you for choosing Cisco,

Christopher Ebert - Network Support Engineer

Cisco Small Business Support Center

0 Helpful

Dirk Dittert
Level 1
Level 1
In response to chrebert

‎05-14-2014 03:45 AM

I'm sorry, I can't do that. I just got a nice strong kick in the butt for spending some extra time trying to help Cisco improve its products:

from Prem Baburaj to All Participants:
I am afraid that the remote tech warranty and online chat support warranty is expired on the device.
from Prem Baburaj to All Participants:
Without this support I am unable to escalate the case for new feature request
0 Helpful

phlafeil
Level 1
Level 1

‎07-25-2016 04:56 AM

To import public/private key combination that was generated through OpenSSL, you need to transform them a little bit.

1) extract public key using the following command :

openssl rsa -in cert.pem -RSAPublicKey_out -out rsapubkey.pem

   it will generate a banner using BEGIN RSA PUBLIC KEY

2) from Hex Editor, using RSA Public Key PEM file :
    remove all 0a character BUT
    ○ The one just after -----BEGIN RSA PUBLIC KEY-----
    ○ The one just before -----END RSA PUBLIC KEY-----
    (remove last 0a character too)

3) extract PlainText RSA Private Key from PEM file using the following command :

openssl rsa -in cert.pem -out rsakey.pem

    it will generate a banner using BEGIN RSA PRIVATE KEY

4) from Hex Editor, using RSA Plain Text Private Key PEM file :
    remove all 0a character BUT
     ○ The one just after -----BEGIN RSA PRIVATE KEY-----
     ○ The one just before -----END RSA PRIVATE KEY-----
    (remove last 0a character too)

5) Just copy/paste updated content files to the cisco web interface

for certificate itself, from Hex Editor, using PEM file :
 - Remove all before -----BEGIN CERTIFICATE-----
 - Remove all after  -----END CERTIFICATE-----
(remove last 0a character too, but keep all 0a character between the 2 previous tag. There are 1 every 64 characters)

After all this stuff, it should work ! (it worked for me)

Jan Kolecek
Level 1
Level 1
In response to phlafeil

‎09-25-2023 12:02 PM

Hello @phlafeil,

thank you for sharing your experience/know-how with us. I have a CBS350 series switch and nothing has changed so far. Your method also works with this switch. I do not really understand why there is so poor certificate input implementation. It is the first time I experienced GUI wants users to copy-paste certificates. I would prefer the possibility of importing of PKCS#12(PFX) certificate. I have one PFX certificate for multiple purposes (many different GUIs) and this is the worst implementation I have ever seen.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents